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Abstract 

' An efficient evaluation method is described for polynomials in finite fields. Its complexity is 

. shown to be lower than that of standard techniques, when the degree of the pol5momial is large 

O ' enough compared to the field characteristic. Specifically, if n is the degree of the polynomial, 

the asymptotic complexity is shown to be O(v^), versus 0{n) of classical algorithms. Appli- 



' cations to the syndrome computation in the decoding of Reed-Solomon codes are highlighted. 
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^ ; 1 Introduction 
(N 

^ ! The direct evaluation of a polynomial P{x) = a„x" + a„_ix"~^ • • • + oq of degree n over a ring or 

^ I a field in a point a may be performed computing the n powers q* recursively as r/j+i = ar/i, for 

^ ■ i = l,...,n — 1, starting with rji = a, obtaining P{a) as 

O ■ 

P(q) = ao + ai7?i + a2r]2 H h anVn 



This method requires 2n — 1 multiplications and n additions. However, Horner's rule (e.g. |[7|), 
which has become a standard, is more efficient and computes the value P{a) iteratively as 



, -P(a) = (• • • ((anO + an-i)a + an-2)a H )a + ai)a + ao . 

This method requires n multiplications and n additions. In particular scenarios, for example when 
the number of possible values of the coefficients is finite, more advantageous procedures can be 
used, as it will be shown in this document. 
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We point out that what is usually considered in the literature to establish upper and lower 
bounds to the minimum number of both "scalar" and "nonscalar" multiplications refers, some- 
times implicitly, to polynomials with coefficients taken from an infinite set, e.g. fields of character- 
istic zero, or algebraically closed fields. In fact, in ||2H8l[l4l, Horner's rule is proved to be optimal 
assuming that the field of coefficients is infinite; instead, we show that this is not the case if the 
coefficients belong to a finite field. Furthermore, in |9|, restricting the field of coefficients to the 
rational field, and converting multiplications by integers into iterated sums (therefore scalar mul- 
tiplications are not counted in that model), it is shown that the number of required multiplications 
is less than that required by Horner's rule, although the number of sums can grow unboundedly. 

In the following we describe a method to evaluate polynomials with coefficients over a finite 
field ¥ps, and estimate its complexity in terms of field multiplications and sums. However, as is 
customary, we only focus on the number of multiplications, that are more expensive operations 
than additions: in F2"i, for example, the cost of an addition is 0{m) in space and 1 clock in time, 
while the cost of a multiplication is 0{m?) in space and 0(log2m) in time (HI). Clearly, field 
multiplication by look-up tables may be faster, but this approach is only possible for small values 
of m. We also keep track of the number of additions, so as to verify that a reduction in the number 
of multiplications does not bring with it an exorbitant increase in the number of additions. 
Our approach exploits the Frobenius automorphism and its group properties, therefore we call it 
"polynomial automorphic evaluation". 

The next Section describes the principle of the algorithm, with two different methods, refer- 
ring to the evaluation in a point of Fpm of a polynomial with coefficients in the prime field Fp. 
The complexity is carefully estimated in order to make the comparisons self-evident. Section 3 
concerns the evaluation in F^m of polynomials with coefficients in Fps, for any s > 1 dividing m: 
different approaches will be described and their complexity compared. Section 4 includes exam- 
ples concerning the syndrome computation in the algebraic decoding of error-correcting codes (cf . 
also 1,11,1 ), and some final remarks. 

2 Polynomial automorphic evaluation: basic principle 

Consider a polynomial P{x) of degree n > p over a prime field Fp, and let a be an element of Fpm . 
We write P{x) as a sum of polynomials 

Pix) = Pi,o(xf) + xPi^xP) ■■■ + xP-'P,,p.,ixP) , (1) 

where Po{x^) collects the powers of x with exponent a multiple of p and in general x^Pi{xP) col- 
lects the powers of the form x^^"*"*, with a G N and < i < p — 1. 

First method. If a is the Frobenius automorphism of Fpm mapping 7 to 7^, which leaves invariant 
the elements of Fp, we write the expression above as 

Pi,o(ct(x)) + xPi,i(a(x)) + • • • + xP"iPi,p_i(a(x)) , 

where Pi^i{y), « = 0, . . . , p — 1, are polynomials of degree [^J at most. Then we may evaluate these 
p polynomials in the same point o-(a), and obtain P{a) as the linear combination 

Pi,o(cT(a)) + aPi,i(a(a)) • • • + aP-iPi,p_i(a(a)) . 
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A possible strategy is now to evaluate recursively the powers for j from 2 up to p, and a{ay 
for j from 2 up to [^J, compute the p numbers Pi^i{a{a)), i = 0, . . . ,p — 1, using n sums and at 
most [^\{p — 2) products (the powers of a (a) times their possible coefficients; the multiplications 
by and 1 are not counted), and obtain P{a) with p — 1 products and p — 1 additions. The total 
number Mp{n) of multiplications is 

Mp(n)=p-1+L-J -l + (p-l) + L-J(p-2) = 2p-3+L-J(p-l) . 

p p p 

Then this procedure is more efficient compared to Horner's rule as far as Mp{n) < n. For example, 
if p = 3 and n = 10 we have M3 (10) = 9 < 10, and for every n > 10 the outlined method is always 
more efficient. More in general the condition is certainly satisfied whenever n > Ip^ — 3p, as it can 
be verified by considering n written in base p. 

Let us see an example in detail, for the sake of clarity, in the case p = 3 and n = 10. Suppose we 
want to evaluate the polynomial f{x) = l + 2x + x'^ + 2x^ + + + 2x^ + x^" in some element 
a G Fsm. Writing f{x) as in equation ^ 

f{x) = l + x^ + x{2 + 2x^ + x"^) + x^{l + x^ + 2x^), 

we see that it is sufficient to compute a^, , a®, a^, then 2a^, 2a^ , 2o? (all possible coefficients 
needed to evaluate the three sub-polymonials), and lastly the two products by a and o? in front of 
the brackets, for a total of 9 multiplications. Note that actually 20? is not needed for this particular 
example, but in general we always suppose to have a worst case situation. Clearly a should 
belong to for some m such that 3™ > n, so that the powers of a up to the exponent n are all 
different. Note, in particular, that if both the coefficients and the evaluation point are in Fp, then 
the polynomial has degree at most p — \, and our methods cannot be applied. 

However, the above mechanism can be iterated, and the point is to find the number of steps 
or iterations yielding the maximum gain. In fact we can prove the following: 

Theorem 1 Let Lopt be the number of steps of this method yielding the minimum number of products, 
Gi{p, n, Lopt), required to evaluate a polynomial of degree n with coefficients in Fp. Then Lopt is either the 
integer which is nearest to logp \/n{p — 1), or this integer minus 1, and asymptotically we have: 

Gi{p,n,Lopt) ^ 2^Jn{p - 1) . 

Proof. 

At step i, the number of polynomials at step i — 1 is multiplied by p since each polynomial 
Pi-\^h{x) is partitioned into p sub-polynomials Pj .,+p/i(x) , j varies between and p — 1, of degree 
roughly equal to the degree of Pj_i,/i(x) divided by p, that is of degree [^J; the number of these 
polynomials is p^ . 

After L steps we need to evaluate p^ polynomials of degree nearly then Pip) is reconstructed 
performing back the linear combinations with the polynomials Pi^h{x) substituted by the corre- 
sponding values Pj /i(a). The total cost of the procedure, in terms of multiplications and additions, 
is composed of the following partial costs 

• Evaluation of p powers of a, this step also produces a{a) = oP , and requires p —\ products. 

• Evaluation of {a^((x)y , i = 1, . . . , L — 1, j = 2,. . . ,p} this step also produces a^{a), and 
requires {p — 1)(L — 1) products. 
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• Evaluation of [^J powers of a^{a), this step requires [^J — 1 products. 

• Evaluation of polynomials Pijix), of degree at most [^J, at the same point a^{a), this 
step requires n additions and [^J {p — 2) products at most. 

• Computation oi p — 1 + {p"^ — p) + ■ ■ ■ + p^ — p^"^ = p^ — 1 multiplications by powers of 
a'{a), (i = 0,...,L-l). 

• Computation ofp — 1 + {p^ — p) -\ +p^ — p^~^ = p^ — 1 additions. 

The total number of products as a function of n, p and L is then 

Gi{p,n,L) = l^\{p-l) + L{p-l)+p'^-2 , 

which should be minimized with respect to L. The values of L that correspond to local minima 
are specified by the conditions 

Gi{p,n,L) <Gi{p,n,L-l) and Gi{p,n,L) < Gi{p,n,L + 1) , (2) 

which can be explicitly written in the forms 

LJJ+^''-^<L^J-1 and L^J-P^<L^J+1 . 

Let {x} denote the fractional part of x, then lx\ = x — {x}, thus the last inequalities can be written 

as 

r n ^ , n ^ n n ri ^ n n r ^ r n , n ^ 
^ + i^Tzr} - {-t} < -rzT - -E - P'-' and - -ZTT - < 1 + {^zi - {lITi} " 



Since {x} is a number less than 1, these inequalities can be relaxed to 

n n r_i ,n n t ^ 
^<^-pL-P and _--^-p^<2, 

which imply 

p^^ < n{p - l)p and n{p-l)+p< + 2p^+^ +p = p{p^ + 1)^ . 

Thus, we have the chain of inequalities 

and taking the logarithm to base p we have 

" (v^^^^ + /^^) - ^ + ^^^^ ^ 



(3) 



which shows that at most two values of L satisfy the conditions for a minimum, because L is 
constrained to be in an interval of amplitude 1 + e, with e = log^ (^^1 + ^^^zj) + sj n{p-i) ) ^ ^' 



around the point of coordinate log^ \J n{j) — 1). Therefore, the optimal value Lfypt is either the in- 
teger which is nearest to log^ \Jn{j) — \), or this integer minus 1. Hence, we have the very good 
asymptotic estimation Lfypt ^ log^ y/n{p — 1), and correspondingly a very good asymptotic esti- 
mation for Gi{p, n, Lopt), that is 

Gi {p, n, Lopt) ~ W n{p - 1) . 

□ 

Second method. We describe here another approach exploiting the Frobenius automorphism in 
a different way; although it will appear to be asymptotically less efficient than the above method, 
it may be useful in particular situations, as shown in Section 4. 
Since the coefficients are in Fp, 

P{x) = Pi,o(xf ) + xPi,i(xf ) • • • + xf-iPi,p_i(xf ) 

can be written as 

Pi,o(xf + xPi,i(xf ■ • • + xf-iPi,p_i(xf , 

where Pi,i (x), i = 0, . . . ,p — l, are polynomials of degree [^J at most. Then we may evaluate these 
p poljmomial in the same point a, and obtain P{a) as the linear combination 

Pi,o(ar + aPi,i(af • • • + c^'^ Pi,p^,{a)P . 

A possible strategy is to evaluate recursively the powers for j = 2, . . . , [^J, compute the p 
numbers Pi^i{a), i = 0, . . . ,p — 1, using sums and at most [^J (p — 2) products (the powers of a 
times their possible coefficients), and obtain P{a) with p p-th powers, p — 1 products and p — 1 
additions. The total number of multiplications is[^J— l + 1) + pcp + [^\{p — 2), where Cp 
denotes the number of products required by a p-th power (so C2 = 1 and Cp < 2[log2pJ). The 
mechanism may be iterated: after L steps we need to evaluate p^ polynomials of degree nearly 
then P(a) is reconstructed performing back the linear combinations with the p-powers of the 
polynomials Pj,/i(x) substituted by the corresponding values Pj /i(a). 

Theorem 2 Let Lopt be the number of steps of this method yielding the minimum number of products, 
G2{p, n, Lopt), required to evaluate a polynomial of degree n with coefficients in ¥p. Then Lopt in an 

interval around logp J "'■^"pl^-^ of length at most 2, and asymptotically we have: 



G2ip,n,Lopt)^2^n{pCp+p-l) . 

Proof. 

The total cost of the procedure, in terms of multiplications and additions, is composed of the 
following partial costs 

• Evaluation of [^J powers of a. 

• Evaluation of p^ polynomials Plj (x), of degree at most [^J, at the same point a, this step 
requires n additions and [^J (p — 2) products. 
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• Computation of p + + ■ ■ ■ + = ^ ^ p-\h powers. 

• Computation oi p — 1 + {p^ — p) + ■ ■ ■ + — p^^^ = p^ — 1 multiplications by powers of a. 

• Computation of p — 1 + {p"^ — p) + ■ ■ ■ + p^ — p^~^ = p^ — 1 additions. 
Then the total number of products as a function of n, p and L is 

G2ip, n, L) = - 1 + ^^^^^cp + {p^ - 1) + (p - 2) , 
p^ p — 1 p^ 

which should be minimized with respect to L. The optimal value of L is obtained by conditions 
analogous to (|2]) and arguing as above we find that this optimal value must be included in a very 
small interval. 

Setting y = An{pcp + p — 1)|, the optimal value for L turns out to be included into an interval 
around Li = logp \J^^^i of extremes 



^i-^-logp(^l + i + yi) and ^i + ^ + log,(yi + i + yi 

which restricts the choice of Lopt to at most two values. Hence, we have the very good asymptotic 
estimation Lopt ~ k 
G2(p, n, Lopt), that is 



estimation Lopt ~ logp y pcl+p^-i > correspondingly a very good asymptotic estimation for 



G2 {p, n, Lopt) ~ 2^/ n{pcp + p - 1) . (4) 

□ 



2.1 p 



The prime 2 is particularly interesting because of its occurrence in many practical applications, 
for example in error correction coding. In this setting an important issue is the computation of 
syndromes for a binary code (fT2]), where it is usually needed to evaluate a polynomial in several 
powers of a particular value, so that an additional advantage of the proposed method may be the 
possibility of precomputing the powers of a. 

A polynomial P{x) over the binary field is simply decomposed into a sum of two polynomials by 
collecting odd and even powers of x as 

P{X) = Pl,o(x2) + = Pi,o(x)2 + . 

The mechanism is then the same as for odd p with a few simplifications. The main point is that 
we do not need to multiply with the coefficients, which are either or 1, so only sums are finally 
involved when evaluating the polynomials. 

And to evaluate 2^ polynomials at the same point a we would need to evaluate the powers 
for j = 2, . . . ,[jt\, and then obtain each P^j (a) by adding those powers corresponding to non- 
zero coefficients; the number of additions per each polynomial is nearly then the total number 
of additions is not more than n. But the actual number of additions is much smaller if sums of 
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equal terms can be reused, and it is upper bounded by 0{j;^^). This bound is a consequence of 
the fact that in order to evaluate 2^ polynomials of degree h = [^J at the same point a, we have 
to compute 2^ sums of the form 

H ha*™, m<h 

having at disposal the h powers a*. We can then think of a 2^ x [^J binary matrix to be multiplied 
by a vector of powers of a, and assuming 2^ ^ (as follows from the estimation of the minimum 
discussed above), we may consider the matrix to be square and apply [5, Theorem 2]. 

3 Automorphic evaluation of polynomials over extended fields 

This section considers the evaluation in a, an element of Fpm, of polynomials P{x) of degree n 
over Fps, a subfield of Fpm larger than Fp, thus s > 1 and s\m. There are two ways to face the 
problem, one way is more direct, the second way exploits the Frobenius automorphism. 

First method. Let /? be a generator of a polynomial basis of Fps, i.e. /3 is a root of an irreducible 
s-degree polynomial over Fp, expressed as an element of Fpm, then P{x) can be written as 

P{x) = Po{x) + /3Pi(x) + /3^P2{x) + ■■■ + P'''Ps-i{x) , (5) 

where Pi (x), i = 0, . . . , s — 1, are polynomials over Fp (cf. also [10]). Then P{a) can be obtained as a 
linear combination of the s numbers Pi{a). Thus the problem of evaluating P{a) is reduced to the 
problem of evaluating s polynomials Pi{x) withp-ary coefficients followed by the computation of 
s — 1 products and s — 1 sums in Fpm . 
We can state then the following: 

Theorem 3 The minimum number of products required to evaluate a polynomial of degree n with coeffi- 
cients in ¥pa is upper bounded by 2s{\/n{p — 1) + \). 

Proof. The upper bound is a consequence of Theorem 1 and the comments following equation 

□ 

The total complexity grows asymptotically as 2s\/n{p — 1), so that a general upper boimd (pos- 
sibly tight) for the number of multiplications that are sufficient to compute P{a), when P{x) has 
coefficients in any subfield of F pm, IS then 2m^Jn(J)^^\). 



Second method. This consists in generalizing the basic principle directly. We will show the 
following: 

Theorem 4 Giip"" ,n, Lopt) « 2^n{j)^ - 1) and G2(]^^ n, Lopt) w 2y^n(p* - 1). /l + Cp«-i + Cp^. 
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Proof. 

As for the first description, the point now is that there are p'^ — I possible coefficients to be multi- 
plied, so that we get an asymptotic complexity of n, Lopt) ~ 2y^n(p* — 1). 
Considering the second variant, P{x) = Pifi{xP)+xPi^i{xP) ■ ■ ■+xP~^ Pi^p^i{xP) is now not directly 
decomposable into a sum of powers of the polynomials Pi{x) since the Frobenius automorphism 
a alters their coefficients. However, we can write ([l) as 

p,-^ixr + xp,-iixr ■■■+ xp-'p,-i_,ixr , 

where stands for the polynomial obtained from by substituting its coefficients with 

their transforms through a^^ (and if we iterate this for k times we would consider a^''). Notice 
that the polynomials P^l{x) have degree at most rij = and are obtained by computing a total 

of n automorphisms a^^. However, in order to compute the p numbers P^l (a), i = 0, . . . , p — 1, it 
is not necessary to compute the total number of n inverse automorphisms observing that 

"i rii 
3=0 j=0 

where cj, j = 1, . . . , rij, are the coefficients of Pi^i{x). It is then sufficient to first evaluate a{a), 
compute then Pi^i{a{a)) and finally apply a^^. This procedure requires the application of only p 
automorphisms a^^ instead of n. 

If we perform L steps, we need to apply a'^ a number of times not greater than p^. Notice 
also that what interests us in is L modulo s because cr* is the identity automorphism in ¥ps, the 
field of the coefficients. The number of multiplications to be minimized becomes: 

G2{f,n, L) = c /"^^^"^ + - 1 + v-ip^ + L {f - 1) , 

where the automorphism counts like a power with exponent p^ , with K = L mod s < s — 1. 
The optimal value of L is obtained by analogues of conditions (O and arguing as above we find 
that this optimal value must be included in a very small interval. 

Setting y = ^""^ ^'^^'^^p^s^i-^'""'^^ the optimal value for L is included into an interval 
around = log^ J of extremes 



^2-^-logp(yi + ^ + yi) and ^2 + ^ + log,(yi + ^ + yi) , (6) 

which restricts the choice of Lopt to at most two values. Hence, we have the very good asymptotic 
estimation Lopt ~ logp J pep+p^7+c^J_~/(p-i) ' correspondingly 



G2ip'',n,Lopt) ^ 2^/n{p^ - 1) + Cps-i + Cp^^— j- 



p 



□ 
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4 Examples and conclusions 



In some circumstances, for example when s ^ m ^ log^ n, the optimal L and the consequent 
estimated computational cost may obscure the advantages of the new approach, suggesting the 
practical use of standard techniques. However, this might not be always a good strategy, as shown 
by the following example borrowed from the error correcting codes. 

Let us consider the Reed-Solomon codes that are used in any CD rom, or the famous Reed- 
Solomon code [255, 223, 33] over F28 used by NASA ([13J): in such applications an efficient evalu- 
ation of polynomials over in points of the same field is of the greatest interest (see also lllT|). 

What we now intend to show is that in particular scenarios the proposed methods allow 
additional cost reductions that can be obtained by a clever choice of the parameters, for example 
choosing L as a factor of m that is close to the optimal value previously found and employing 
some other strategies as explained below. 

The idea will be illustrated considering the computation of the syndromes needed in the 
decoding of the above mentioned Reed-Solomon code. We will only show how to obtain the 
32 syndromes; from that point onwards decoding may employ the standard Berlekamp-Massey 
algorithm, the Chien search to locate errors, and the Forney algorithm to compute the error mag- 
nitudes (111). 

Let r (j;) = X]i=o '^i^*' ^ ^2^/ be a received code word of the Reed-Solomon code [255, 223, 33] 
generated by the polynomial g{x) = n£i(^ ~ ^t*)' with a a primitive element of F28, i.e. a root of 
+ + + X + I. The aim is to evaluate the syndromes Sj = r{a^), j = I, ... ,32. 

A possible approach is as follows. The power (3 = is a primitive element of the subfield 
F24, it is a root of the polynomial x^ + x^ + 1, and has trace 1 in F24 . Therefore, a root 7 of + 2; + /? 
is not in F24 (see f6'. Corollary 3.79, p. 118]), but it is an element of F28, and every element of F28 can 
be written as a + ^7 with o, 6 G F24. Consequently, we can write r{x) = ri{x) + jr2{x) as a sum of 
two polynomials over F24, evaluate each ri{x) in the roots of g{x), and obtain each syndrome 
Sj = r{a^) = ri{a^) + ^r2{a^) with 1 multiplication and 1 sum. 

Now, we choose to adopt our second variant which turns out to be very well-suited since 
we will actually avoid to compute any automorphism. \{p{x) is either ri{x) or r2{x), in order to 
evaluate p{a') we must consider the decomposition 

p{x) = {(J~^{po) + (J~^{p2)x + - ■ ■ + (T-\p254)x^^'^f + xia'\pi) + a'\p3)x + - ■ ■ + a-\p253)x^^y . 

Now, each of the two parts can be decomposed again into the sum of two polynomials of degree 
at most 63, for instance 

<^'Hpo) + (T-\p2)x + ■■■+ CT-^(P254)X^^^ = {ct''^{Po) + (7~^{p4)x + ■■■+ a'"^ ip252)x^^f + 
X{a~^{p2) + (T-^{P6)X + ■■■ + (J-^{P2m)x^^? 

and at this stage we have four polynomials to be evaluated. The next two steps double the number 
of polynomials and halve their degree; one polynomial per each stage is given here as an example 

(^~^{po) + (J'^{P4)x + ■■■ + a-^{p252)x^^ = {(t'Hpo) + (T-^{P8)x + ■■■ + a'^ {p24s)x^^f + 
x{a~^{p4) + a-^{pi2)x + ■■■ + a-'^{p252)x^^? 

(^~^{po) + <y~^{p&)x + ■■■+ <y-^{p2ifi)x^^ = {<y~^{PQ) + <y~^ipvi)x + ■■■ + <y-^{p2AQ)x^^?+ 
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x{a-^{ps) + a-\p2^)x + ■■■ + a-\p2As)x''f 

Since we choose to halt the decomposition at this stage (notice that L = 4 is a putative optimal 
value given by ©), we must evaluate 16 polynomials of degree at most 15 with coefficients in F24. 
We do not need to compute cr"'^ on the coefficients, as (7~'^{pi) = pi, since the coefficients are in F24 
and any element /3 in this field satisfies the condition = /3. 

We remark that up to know we have only indicated how to partition the original polynomial. 
This task does not require any computation, it just defines in which order to read the coefficients 
of the original polynomial. 

Now, let K be the number of code words to be decoded. We compute only once the following 
field elements: 

• a*, i = 2, . . . , 254 and this requires 253 multiplications; 

• a* • (3^ for i = 0, . . . , 254 and j = 1, . . . , 14, which requires 255 • 14 = 3570 multiplications. 

Then only sums (that can be performed in parallel) are required to evaluate 16 polynomials of 
degree 15 for each a^, j = 1 . . . , 32. Once we have the values of these polynomials, in order to 
reconstruct each of ri{a^) and r2{a^), we need 

• 16 + 8 + 4 + 2 squares 

• 8 + 4 + 2 + 1 multiplications (and the same number of sums). 

Summing up, every r (a-' ) = ri (a-^ ) + (a-^ ) is obtained with 2 • 45 + 1 = 91 multiplications. Then 
the total cost of the computation of 32 syndromes drops down from 31 + 32 • 254 = 8159 with 
Horner's rule to 32 • 91 + 3570 + 253 = 6735. Since we have K code words the total cost drops from 
31 + 8128 • K to 3823 + 2912 • K, with two further advantages: 

- many operations can be parallelized, further increasing the speed; 

- the multiplications can be performed in F24 instead of F28, if we write = aj + 76^; this 
might increase the number of multiplications, but they would be much faster. 

As said, this example was meant to show that there are important applications of polynomial 
evaluation which can take advantage of a complexity reduction and that there are certainly many 
other possibilities to further reduce the costs, depending on the particular problem at hand, the 
model in consideration and the available technology (e.g. availability of storage, of pre-computed 
tables for finite field mutiplications, etc.). In particular, this paper has been mainly devoted to the 
single-point evaluation of polynomials, showing that it is possible to achieve significant complex- 
ity reduction with respect to Horner's rule even without any precomputation or storage, especially 
when the degree of the polynomial is large. In other models, it may be possible to have the powers 
of a as already given data and to store relatively large binary matrices in order to reduce the num- 
ber of multiplications in a multi-point evaluation scenario or it may be possible to reduce them 
at the cost of a significant increase of the number of additions. For all these different models, we 
refer to the vast literature on multi-point evaluation, e.g. IITll3l[T0ll. 

In conclusion, we have proposed some methods to evaluate polynomials in extensions of finite 
fields that have a multiplicative asymptotical complexity 0{^/n), much better than 0{n), the com- 
plexity of standard methods; the constant involved is a function of the field characteristic. We have 
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proposed different variants and shown that the choice of an evaluation scheme that uses possibly 
the smallest number of multiplications follows from a careful analysis of the particular situation 
and might involve the adoption of special tricks dependent on the combination of parameters. It 
remains to ascertain whether there exists some evaluation algorithm doing as5Tnptotically better, 
i.e. having a complexity 0(n*) with t < ^. 
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